Manual signing .appex breaks the safari browser extension

Question

Created Apr ’22

Replies 2

Boosts 0

Views 1.9k

Participants 2

Hello!

I am trying to build a CI pipeline for a safari browser extension. And in order to achieve this I am manually signing the .app.

The file that creates problems is the .appex. From "extensionName.app/Contents/PlugIns/extenstionName Extension.appex". Not signing this file causes the notarization to flag the package as invalid. The order that I achieved the signing and caused the notarisation to work is this.

(not actual signing request lines, I simplified them for easier readability)

# Signing first all the .dylib files
-timestamp --options runtime  "extenstionName.app/Contents/Frameworks/*.dylib"
# Then signing the binary from the appex
--prefix=com.domain. --timestamp --options runtime  "extenstionName.app/Contents/PlugIns/extenstionName Extension.appex/Contents/MacOS/extenstionName Extension"
# Then signing the .app package
--prefix=com.domain. --timestamp --options runtime  "extenstionName.app/"
# And at the end signing the .appex
--prefix=com.domain. --timestamp --options runtime  "extensionName.app/Contents/PlugIns/extensionName Extension.appex"

If I do the signing this way the notarization works, and the .app is code signed and can be verified. The issue is that the extension does not load at all in safari, not even with Allow Unsigned Extensions enabled. And I can't find any way to debug this. Clicking Quit and Open Safari Extensions Preferences... does nothing, nothing appears inside the Safari Extension Preferences menu.

I tried multiple combinations of signing order.

Signing the .appex before the .app causes the code signature to not be valid at all.
Do not sign the .appex at all causes the .app to be verified and signed but in safari you need to have unsigned extension enabled. And also the notarization fails throwing errors about the .appex that is not signed
Not signing the binary from the .appex causes the notarization to fail throwing error that that binary is not signed.

Also I tried to run the signed and notarized .app on a clean macOS computer, and it does not load into safari, the same that happens on the development computer.

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’22

First up, if you’re signing code manually, read the following for general background:

As to what’s happening here, you wrote:

I am trying to build a CI pipeline for a safari browser extension.

Does that mean that your problem only shows up when you build using your CI pipeline? That is, building your product normally works?

If so, what does your normal build process look like? Are you just building in Xcode?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Apr ’22

I don't have access to the certificates. Only to a signing service.

Hmmm. Are you sure the signing service is obeying your commands? That is, if you tell it to sign items in a particular order, are you sure that it actually do that?

The reason I ask is this:

as It should be logic, the .appex needs to be signed before the .app.

Yes.

But If I do that, the signature is invalid

That’s very strange.

If I check the .app with codesign --deep --verify -vvvv I get the signature as invalid, all .dylib are flagged as file modified and also the .appex is flagged as modified.

This is what made me ask my initial question, because that just shouldn’t happen.

If you want to dig deeper into this, you can dig into the code signature hashes to confirm the result shown by --verify. You may even be able to compare old and new hashes to see where things wrong. See A Peek Behind the Code Signing Curtain for more details on how to do that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0